Curiosity Pwned the Cat
Posted: 9th March 2012 by th3j35t3r
http://jesterscourt.mil.nf/2012/03/09/curiosity-pwned-the-cat/
So whats up with that?
Well, the thing about QR-Codes is 99% of the time they will be accessed via a mobile device, and 99% of those will be iPhone or Android devices. This gives me a known and narrow vector to exploit.
Now before you all start freaking out it was a highly targeted and precise attack, against known bad guys, randoms were left totally unscathed. Allow me to explain further……
Embedded inside the webpage with the ‘BOO’ greeting was some UTF encoded javascript, (I used this site to encode it) inside which was some code execution shellcode. When anyone hit the page the shellcode executed. The shellcode was a modified and updated version of the use-after-free remote code execution CVE-2010-1807, a known exploit for Webkit, which facilitated a reverse TCP shell connection to a ‘remote server’ which had an instance of netcat listening on port 37337.
I was going to leave it like this for a full week, however, a keen-eyed tweep going by the moniker@rootdial spotted the embedded code and asked about it via Twitter (he wasn’t being malicious, just wondered if I knew about it.)
Webkit is an SDK component part used in both Safari for iPhone and also Chrome for Android.
UPDATE: I have opted to remove the source code and use screendumps instead.
and here is the raw shellcode (slightly modified so #anonymous can’t re-use it on YOU!)
So in a nutshell when anyone scanned the original QR-Code using an iPhone or Android device, their device would silently make a TCP Shell connection back to my remote server. (like a phone call if you like).
Now for the really clever bit….
With Netcat listening at the other end for incoming connections, you can configure it to execute its own script when it receives a connection, for example, to send a Message of the Day to the connecting device, you would run netcat like this on your server:
nc -v -l -p 37337 -e “/bin/cat /etc/motd”
That’s just an example, in this instance, I had a script run that essentially checked to see:
-
if any of the major mobile twitter clients were installed on the remote connecting device.
-
if so read twitter username associated with the device (just the username!). Don’t you loveOAUTH.
-
I also had a list of ‘targets’ – twitter usernames I was interested in, these were comprised of usernames of:
-
Islamic Extremists
-
Al Qaeda Supporters
-
Anonymous Members
-
Lulz/Antisec Members
-
Here’s a very SMALL sample of the much longer list: @alemarahweb,@HSMPress@AnonymousIRC,@wikileaks, @anonyops, @barretbrownlol, @DiscordiAnon etc etc etc
to name but a few……. now then if the devices twitter client was not associated with a Twitter account, or it was but the account .....
Creepy? Only if you are naughty.
In all this ‘curiosity pwned the cat’ sting went on for 5 days un-noticed.
Here’s some facts and figures on how it went:
-
Over 1200 curious netizens scanned the QR-Code.
-
^ Of those over 500 devices reverse shelled back to the listening server.
-
^^ Of those, a significant number were on the ‘shit-list’ and as such treated as valid targets.
.
EVERYONE else without exception was left totally ‘untouched’ so to speak. This was a Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world.
I do not feel sorry for them.
In the interests of convenience, I will be taking the liberty of uploading the captured bad-guy data in assigned PGP encrypted file to a suitable location very soon. How’s that for ‘lulz’?
Here endeth the lesson.
UPDATE 03/12/2012
The resulting raw dump of the verbose output log from this exercise can be downloaded using the link below – although it’s encrypted with my PGP Public key. Have fun with that.
http://www.mediafire.com/file/25e53h3qxey4r6q/curiositylog.txt.pgp
There’s an unequal amount of good and bad in most things, the trick is to work out the ratio and act accordingly.
(I KNOW, RIGHT!)